Home Troubleshooting Creating an SFTP Server using OpenSSH

Creating an SFTP Server using OpenSSH

This article describes how to configure a basic OpenSSH server on Windows

Prerequisites

  • A device running at least Windows Server 2016 or Windows 10 (build 1809).
  • PowerShell 5.1 or later.
  • An account that is a member of the built-in Administrators group.

Installation

Windows Server 2019 and newer

Install the OpenSSH server by running the following command in PowerShell on the machine:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Windows Server 2016 and older

Deploy the SSH extension for Windows. The extension provides an automated installation of the Win32 OpenSSH solution, similar to enabling the capability in newer versions of Windows.

Configuration

To start and configure OpenSSH Server for initial use, open an elevated PowerShell prompt (right click, Run as an administrator), then run the following commands to start the sshd service:

# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
	Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
	New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
	Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

To enable SSH Public Key authentication, follow the steps provided:

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

The sshd_config file located at ProgramData -> ssh should also be updated to allow for Public Key authentication. The following should be added:

PubkeyAuthentication yes

The Public key should also be added to the correct file authorized_keys or administrators_authorized_keys based on the previous steps.

The OpenSSH Server Service then needs to be restarted for the changes to take effect.

Troubleshooting

Can't get Public Key authentication working

Ensure that you use the correct format for the public key, as it expects a specific format.

sshd: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

SSH-RSA is not supported by default for Public Key authentication, to enable it add the following to the sshd_config file:

PubkeyAcceptedKeyTypes=+ssh-rsa

References

https://winscp.net/eng/docs/guide_windows_openssh_server

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/connect-ssh

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh\_keymanagement